HTTP Headers

We recommend using the following additional security headers.

  • Strict-Transport-Security: Set this header if the Engine is to be accessed via HTTPS only. For more information, see: Strict-Transport-Security. You can adjust this in the embedded Tomcat with the pre-configured HTTP Header Security Filter in the web.xml

  • Content-Security-Policy: Set this header if you want to reduce the risk of having an exploitable Cross-site scripting (XSS) vulnerability. With a Content-Security-Policy, you can define from which locations external resources can be loaded and if scripts embedded in HTML can be executed. For more information, see: Content Security Policy (CSP).

    We recommend implementing these headers on a reverse proxy securing your Axon Ivy Engine. In case you have no reverse proxy, check How do I integrate the Axon Ivy Workflow Frontend in my Web App? <> for a CSP example using the embedded Tomcat.

  • Referrer-Policy: Set this header if you want to control how or if the referrer is disclosed to other sites. For more information, see: Referrer-Policy